Yep, good catch. I have fixed these and they will be synced to SVN soon.
Thanks.
--
Ryan Barnett
From: Ken Brucker <Ken@...<mailto:Ken@...>>
Date: Wed, 31 Aug 2011 11:12:15 -0500
To: Ryan Barnett <ryan.barnett@...<mailto:ryan.barnett@...>>
Cc: "mod-security-users@...<mailto:mod-security-users@...>" <mod-security-users@...<mailto:mod-security-users@...>>
Subject: Re: [mod-security-users] Testing some policy/size-limit rules.
[ Resending from subscribed account ]
How does one get the generic rule (960209) to work though?
I was just experimenting with it as well and it has not been working. I have the following in my config:
SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=90"
Looking at the related rule in modsecurity_crs_23_request_limits.conf, I think the problem is in the chained rule:
SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" ...
By my read of the docs &ARGS_NAMES is the count of how many ARGS_NAMES there are, not the length of each.
In my testing I've found that by removing '&' from the above syntax the rule behaves as expected. There's another length based test in rule 960208 that will break in a similar way.
Using CRS 2.2.1 btw.
-- Ken
On Aug 30, 2011, at 10:03 AM, Ryan Barnett wrote:
Try -
SecRule ARGS:name "@gt 10" "phase:2,t:none,t:length,block,msg:'Name
Parameter Payload Too
Large.',id:'960209',severity:'4',rev:'2.2.1',setvar:'tx.msg=%{rule.msg}',se
tvar:tx.anomaly_score=+%{tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},s
etvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
-Ryan
On 8/30/11 10:59 AM, "Usman Waheed" <usmanw@...<mailto:usmanw@...>> wrote:
Thats right, restrict the name_size of the parameter (name) to not more
than 10 characters long.
What are you trying to do here? Create some custom rules that restrict
the size of the payload of the parameter named "name"?
-Ryan
On 8/30/11 10:33 AM, "Usman Waheed" <usmanw@...<mailto:usmanw@...>> wrote:
Hi,
I am testing out the default rules that come with mod_security in my
test
setup and have the following below in my config files. For some reason
this rule does not trigger when i set the size of a text input field to
100+ characters.
For example in my test form (method: POST) i have:
<input type=text
name="unamebbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bb
bbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cc
cccccccc"></td>
Appreciate if i could get some pointers.
I also tried with ARGS_GET_NAMES instead of ARGS_NAMES but no luck.
Thanks,
Usman
## Limit argument name length (modsecurity_crs_10_config.conf)
SecAction
"phase:1,id:'981212',t:none,nolog,pass,setvar:tx.arg_name_length=100"
## modsecurity_crs_23_request_limits.conf
SecRule &TX:ARG_NAME_LENGTH "@eq 1"
"chain,phase:2,t:none,block,msg:'Argument name too
long',id:'960209',severity:'4',rev:'2.2.1'"
SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}"
"t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{
tx
.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score
},
setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var
}"
------------------------------------------------------------------------
--
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@...<mailto:mod-security-users@...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
--
Using Opera's revolutionary email client: http://www.opera.com/mail/
--------------------------------------------------------------------------
----
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@...<mailto:mod-security-users@...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
mod-security-users mailing list
mod-security-users@...<mailto:mod-security-users@...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Am 31.08.2011 16:29, schrieb kwenu:
> Still the same - im using crs_2.2.2 as directed by Ryan
>
> Ever since i recompiled against apache 2.2.19 ive had major problems with segmentation faults and now rules are
> behaving differently after compiling against apr v 1.3.12 and pcre v 8.x
do you not think your APR is a little bit old?
ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"